CN107911258B

Movatterモバイル変換

Info

Publication number: CN107911258B
Application number: CN201711479174.0A
Authority: CN
Inventors: 陈晓帆; 任勇兵; 马耀泉; 古亮
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2017-12-29
Filing date: 2017-12-29
Publication date: 2021-09-17
Anticipated expiration: 2037-12-29
Also published as: CN107911258A

Abstract

The embodiment of the invention provides a method and a system for realizing a security resource pool based on an SDN network, which are used for improving the adaptability of the security resource pool to network change and the flexibility of configuration. The gateway of the security resource pool in the embodiment of the invention adopts an SDN network architecture, a network equipment control plane and a data plane in the SDN network are separated, a security service chain is configured by an SDN controller, a network docking function is realized by an OVS switch, decoupling of the network docking function and a drainage strategy function of the security resource pool service chain is realized, the adaptability of the security resource pool to network change is improved, and secondly, the drainage strategy in the security service chain can be configured in multiple dimensions by at least two matching domain fields, so that the flexibility of the security resource pool configuration is improved.

Description

SDN network-based security resource pool implementation method and system

Technical Field

The invention relates to the technical field of network security, in particular to a method and a system for realizing a security resource pool based on an SDN network.

Background

The security resource pool is a collection of physical or virtual security function components, and the functions of the security function components can include firewall, VPN, load balancing, wide area network acceleration, internet behavior control, bastion machine, intrusion detection/defense and the like. As the concept of the secure resource pool is approved by more and more users, the deployment cases of the secure resource pool are gradually increased, and the drainage of the secure resource pool is a key in the deployment process of the secure resource pool.

The current major method for guiding the security resource pool (as shown in fig. 1) is to guide the traffic through policy routing, wherein for north-south traffic, the traffic is guided to the security resource pool through policy routing at the client core router for detection, cleaning, and encryption or decryption. The second drainage operation is generally performed in the security resource pool through one layer of virtual/physical route or two layers of virtual/physical route, if the two layers of virtual/physical route (as shown in fig. 2), the first route guides the traffic to the security resource pool routing gateways (different second layer routes) of different tenants according to the data packet tenant IDs (IP network segment, VLAN ID, etc.), and the security service chain is realized by the gateways through the policy route, that is, the traffic sequentially passes through different security function components. If there is only one layer of virtual/physical routing (as shown in figure 3), then the security service chain is implemented directly from the tenant ID.

The drainage method of the safe resource pool in the existing scheme mainly has the following defects: on the side of the security resource pool, because the network docking function and the drainage policy function of the security resource pool service chain are both realized through the security resource pool routing gateway, the network docking part of the security resource pool drainage method is closely coupled with the security service chain drainage, when the network scene of a user changes and the network docking part needs to be changed, the security service chain needs to be redeployed according to the change of the network docking part so as to meet the drainage requirement under a new scene, the adaptability to the network change is poor, secondly, the policy routing is usually that a destination address routing or a source address configures a drainage policy in one dimension, and the policy of gateway drainage is not flexible.

Disclosure of Invention

The embodiment of the invention provides a method and a system for realizing a security resource pool based on an SDN network, which are used for improving the adaptability of the security resource pool to network change and the flexibility of configuration.

A first aspect of an embodiment of the present invention provides a method for implementing a secure resource pool based on an SDN network, where the SDN network includes an SDN controller and an OVS switch, and the method includes:

an OVS switch receives a target traffic packet and analyzes matching domain fields in the target traffic packet, wherein the target traffic packet comprises at least two matching domain fields;

the OVS switch is matched with a locally stored flow table according to the matching domain field to determine a security service chain corresponding to the target flow packet, the flow table is generated by the SDN controller and is sent to the corresponding OVS switch, the flow table indicates the corresponding relation between the matching domain field of a preset type and the security service chain, and the security service chain indicates that the corresponding flow packet passes through a preset number of security function components in a security resource pool according to a preset sequence;

if the matching domain field of the target traffic packet is unsuccessfully matched with a locally stored flow table, requesting a security service chain corresponding to the matching domain field of the target traffic packet from the SDN controller;

and the OVS switch conducts safe drainage on the target flow packet according to a safe service chain so as to complete the cleaning of the target flow packet.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the match domain field includes, but is not limited to: switch ingress port, source MAC address, destination MAC address, ethernet type, ethernet tag, virtual local area network VLAN priority, source IP, destination IP, IP protocol field, IP service type, TCP/UDP source port number, TCP/UDP destination port number.

With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the performing, by the OVS switch, secure steering on the target traffic packet according to a secure service chain includes:

the OVS switch encapsulates a service chain path ID corresponding to a secure service chain, the serial numbers of all secure functional components on the service chain path and service chain metadata to the head of the target traffic packet to form an NSH label;

and the OVS switch drains the target traffic packet to the next node according to the service chain path ID in the NSH label and the current node position of the target traffic packet.

With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, when a target security function component in the security resource pool cannot identify the NSH label, the OVS switch processes the NSH label through a proxy function, where the proxy function includes: the NSH label is removed before the security service chain passes through the target security function component, and the NSH label is re-applied to the security service chain when the security service chain passes from the target security function component back to the OVS switch.

With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, before the receiving, by the OVS switch, a target traffic packet and analyzing a matching domain field in the target traffic packet, the method further includes:

when a user side network is provided with a core gateway with a policy routing function, the OVS switch receives a target traffic packet from the core gateway and performs Network Address Translation (NAT) on an IP address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the OVS switch;

when a user side is not provided with a core gateway and the security resource pool and a user side network are not in the same layer network, the OVS switch receives a target traffic packet from the core gateway and performs NAT (network address translation) on an IP (Internet protocol) address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the OVS switch.

With reference to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the matching domain field further includes a tenant ID, and when multiple tenants use the same IP address, the OVS switch performs matching according to a flow table stored locally to determine a security service chain of a tenant traffic packet using the same IP address.

With reference to the first aspect, the first to fifth possible implementation manners of the first aspect, and in a sixth possible implementation manner of the first aspect, when the security function components in the security resource pool are located in different physical hosts, the OVS switch transmits the traffic packets through an overlay tunnel, where the overlay tunnel is used to isolate the traffic packets of different tenants in the security resource pool.

A second aspect of an embodiment of the present invention provides a secure resource pool system based on an SDN network, where the secure resource pool system includes:

an SDN controller and a secure resource pool, wherein,

the security resource pool comprises an OVS switch and at least one security function component;

the OVS switch comprises a two-layer switching module, a flow classification module, a communication module and a forwarding module;

the two-layer switching module is used for receiving a target flow packet;

the flow classification module is used for analyzing matching domain fields in the target flow packet and matching the matching domain fields with a locally stored flow table according to the matching domain fields to determine a security service chain corresponding to the target flow packet, the target flow packet comprises at least two matching domain fields, the flow table indicates the corresponding relation between the matching domain fields of preset types and the security service chain, and the security service chain indicates that the corresponding flow packets pass through a preset number of security function components in a security resource pool according to a preset sequence;

if the matching domain field of the target traffic packet is unsuccessfully matched with the locally stored flow table, the communication module is used for requesting a security service chain corresponding to the matching domain field of the target traffic packet from the SDN controller;

and the forwarding module is used for carrying out safe drainage on the target flow packet according to a safe service chain so as to complete the cleaning of the target flow packet.

With reference to the second aspect, in a first possible implementation manner of the second aspect, the matching field includes, but is not limited to: switch ingress port, source MAC address, destination MAC address, ethernet type, ethernet tag, virtual local area network VLAN priority, source IP, destination IP, IP protocol field, IP service type, TCP/UDP source port number, TCP/UDP destination port number.

With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the flow classification module includes an analysis unit and a tag unit, where the analysis unit is configured to analyze a matching field in the target flow packet, and perform matching with a locally stored flow table according to the matching field to determine a security service chain corresponding to the target flow packet;

the label unit is used for encapsulating a service chain path ID corresponding to a security service chain, the serial numbers of all security function components on the service chain path and service chain metadata to the head part of the target traffic packet to form an NSH label;

and the forwarding module is used for guiding the target traffic packet to the next node according to the service link path ID in the NSH label and the current node position of the target traffic packet so as to realize the safe guiding of the target traffic packet.

With reference to the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the OVS switch further includes a proxy module, where when a target security function component in the security resource pool cannot identify the NSH label, the proxy module processes the NSH label through a proxy function, where the proxy function includes: the NSH label is removed before the security service chain passes through the target security function component, and the NSH label is re-applied to the security service chain when the security service chain passes from the target security function component back to the OVS switch.

With reference to the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the OVS switch further includes an OVN module, and when a core gateway with a policy routing function is provided in a user-side network, the OVN module is configured to receive a target traffic packet from the core gateway, and perform network address NAT translation on an IP address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the OVS switch;

when the user side is not provided with a core gateway and the security resource pool and the user side network are not in the same layer network, the OVN module is configured to receive a target traffic packet from the core gateway and perform NAT translation on an IP address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the OVS switch.

With reference to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the matching domain field further includes a tenant ID, and when multiple tenants use the same IP address, the parsing unit performs matching according to a flow table stored locally to determine a security service chain of a tenant traffic packet using the same IP address.

With reference to the second aspect, the first to fifth possible implementation manners of the second aspect, and in a sixth possible implementation manner of the second aspect, when the security function components in the security resource pool are located in different physical hosts, the OVS switch performs transmission of traffic packets through an overlay tunnel, where the overlay tunnel is used to isolate traffic packets of different tenants in the security resource pool.

According to the technical scheme, the embodiment of the invention has the following advantages:

the gateway of the security resource pool in the embodiment of the invention adopts an SDN network architecture, a network equipment control plane and a data plane in the SDN network are separated, a security service chain is configured by an SDN controller, a network docking function is realized by an OVS switch, decoupling of the network docking function and a drainage strategy function of the security resource pool service chain is realized, the adaptability of the security resource pool to network change is improved, and secondly, the drainage strategy in the security service chain can be configured in multiple dimensions by at least two matching domain fields, so that the flexibility of the security resource pool configuration is improved.

Drawings

FIG. 1 is a schematic diagram of a network deployment of a method for draining a secure resource pool in the prior art;

fig. 2 is a schematic diagram of network deployment in which drainage is implemented by two layers of virtual/physical routes in a secure resource pool in the prior art;

FIG. 3 is a schematic diagram of a network deployment in which drainage is implemented by a layer of virtual/physical routing in a secure resource pool in the prior art;

fig. 4 is a schematic diagram of an embodiment of a method for implementing a secure resource pool based on an SDN network according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of a system architecture for deploying a secure resource pool in a routing mode according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of a system architecture for deploying a secure resource pool in a gateway mode or a transparent mode according to an embodiment of the present invention;

fig. 7 is a schematic diagram illustrating functional modules of an OVS switch in a specific application example of a method for implementing a secure resource pool based on an SDN network according to an embodiment of the present invention;

fig. 8 is a schematic diagram of an embodiment of a secure resource pool system based on an SDN network in an embodiment of the present invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

For ease of understanding, Software Defined Networking (SDN) is briefly introduced below, where SDN is an open environment that changes a traditional closed Network into a computer-like environment, and can be programmed to create an easily managed Network virtualization layer, decouple Network control from physical infrastructure, and let a third party develop a Network application to control the operation of the Network. OpenFlow technology is a way to implement SDN, and enables users to define traffic themselves and determine the transmission path of the traffic in the network. The SDN network formed based on the OpenFlow technology comprises an SDN controller and an SDN switch. The SDN switch is a core component and consists of an OpenFlow protocol, a secure channel and a flow table. And the SDN controller configures a flow rule of the SDN switch capability report switch and issues the flow rule to a flow table of the SDN switch. In the present application, only one of the SDN switches, that is, an OVS switch is taken as an example, and the OVS switch is a software SDN switch with stable open source and also supports a conventional network.

For convenience of understanding, a specific flow in the embodiment of the present invention is described below, and referring to fig. 4, an embodiment of a method for implementing a secure resource pool based on an SDN network in the embodiment of the present invention may include:

100. the OVS switch receives the target traffic packet and analyzes a matching domain field in the target traffic packet;

a user may define security components that the own traffic packet needs to pass through by a northbound API provided by the SDN controller, for example, the RESTFUL API, and the SDN controller generates a corresponding traffic packet forwarding rule, that is, a security service chain, based on the security components selected by the user through the northbound API and an order thereof, where the security service chain indicates that the corresponding traffic packet passes through a preset number of security functional components in the security resource pool in a predetermined order. The restul API is an application programming interface API that satisfies a REST (Representational State Transfer, abbreviated as REST) architecture style.

Each data packet contains a specific characteristic field, namely a matching domain field, each data packet can be identified according to the matching domain field and matched with a corresponding security service chain, and the SDN controller can construct a corresponding flow table according to the corresponding relation between the matching domain field of the data packet and the security service chain and issue the flow table to a corresponding OVS switch. Specifically, optional matching fields include, but are not limited to: the field of the matching field may be configured reasonably according to the requirement of the user and the change of the network protocol, and is not limited herein.

Specifically, the corresponding relation is established between the at least two matching domain fields and the security service chain, so that the multi-dimensional matching of the security service chain and the traffic packet can be realized, and the flexibility of the application of the security service chain of the security resource pool and the matching of the traffic packet is improved.

After the OVS switch receives the target traffic packet, the matching field in the target traffic packet may be parsed for further processing.

200. Matching the OVS switch with a locally stored flow table according to the matching domain field to determine a security service chain corresponding to the target flow packet;

the OVS switch matches the matching domain field corresponding to the target data packet with a locally stored flow table to determine the security service chain corresponding to the target traffic packet, if the matching domain field of the target traffic packet is successfully matched with the locally stored flow table,step 400 is executed, and if the matching domain field of the target traffic packet is not successfully matched with the locally stored flow table,step 300 is executed.

300. The OVS switch requests a corresponding SDN controller for a security service chain corresponding to a matching domain field of a target traffic packet;

and if the matching domain field of the target flow packet is unsuccessfully matched with the locally stored flow table, requesting a security service chain corresponding to the target flow packet from the corresponding SDN controller. The specific OVS switch may send the target data packet or a matching domain field corresponding to the target data packet to the corresponding SDN controller, so as to request the SDN controller to configure a security service chain corresponding to the target traffic packet.

400. And the OVS switch conducts safe drainage on the target flow packet according to the safe service chain so as to complete the cleaning of the target flow packet.

After the security service chain corresponding to the target traffic packet is determined, the OVS switch may install a forwarding rule of the security service chain to safely direct the target traffic packet to the corresponding security component for cleaning.

Optionally, as a possible implementation manner, the performing, by the OVS switch, secure drainage on the target traffic packet according to a secure service chain may include:

401. the OVS switch encapsulates a service chain path ID corresponding to a secure service chain, the serial numbers of all secure functional components on the service chain path and service chain metadata to the head of a target traffic packet to form an NSH label;

in practical application, a user can define a plurality of security service chains, each security service chain corresponds to a data packet forwarding path, a service chain path ID can be assigned to each path, through the service chain path ID, the OVS switch can identify that each security service chain corresponds to a data packet forwarding path, each service chain may need to enter a plurality of security function components, in order to determine the position of a target traffic packet at a current node of the service chain in the forwarding process among the plurality of security components, the OVS switch can add a tag to the target traffic packet to identify the forwarding process of the service chain, specifically, the service chain path ID corresponding to the security service chain, the number of each security function component on the service chain path, and the service chain metadata are encapsulated in the header of the target traffic packet to form an NSH tag, and the specific NSH tag can be set reasonably according to the user's requirements, the details are not limited herein.

Alternatively, NSH may be implemented by techniques such as idle field of IP packets, specific field of GRE/VXLAN, etc.

402. And the OVS switch drains the target traffic packet to the next node according to the service link path ID in the NSH label and the current node position of the target traffic packet.

Each time the target traffic packet passes through one security component in the service chain, the target traffic packet returns to the OVS switch, and a next security function node can be determined according to the service chain path ID in the NSH label of the returned data packet and the node where the target traffic packet is currently located, and the target traffic packet is directed to the next node.

On the basis of the above embodiment, in actual application, in the process of deploying the secure resource pool, a user-side network architecture needs to be considered, the user-side network may be provided with a core gateway having a policy routing function or not, and the secure resource pool and the user-side network are not in the same layer network.

Specifically, when a user side network is provided with a core gateway with a policy routing function, the OVS switch receives a target traffic packet from the core gateway, and performs network address NAT (network address translation) on an IP address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the OVS switch;

On the basis of the above embodiment, in actual application, in the same network, there may be a case where a plurality of tenants use the same IP address, under this case, in order to implement a function of matching traffic packets of different tenants with different security service chains, a tenant ID may be introduced as one field of a matching domain, different tenant IDs are set by an SDN controller to correspond to different security service chains, and when matching is performed by using a matching domain with a tenant ID and a locally stored flow table, a function of matching traffic packets of tenants using the same IP address with different security service chains may be implemented.

On the basis of the above embodiment, in practical application, when the security function component in the security resource pool is located in different physical hosts, the OVS switch transmits a traffic packet through an overlay tunnel, where the overlay tunnel is used to isolate traffic packets of different tenants in the security resource pool.

It should be understood that, in various embodiments of the present invention, the sequence numbers of the above steps do not mean the execution sequence, and the execution sequence of each step should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.

For convenience of understanding, the implementation method of the SDN network-based security resource pool in the embodiment of the present invention will be described below with reference to a specific application example.

In practical application, the requirements of customers during the deployment of the secure resource pool are mainly classified into three categories:

1. the physical router of the client supports the policy routing function and can guide the flow to the safe resource pool for cleaning;

2. if the client routing does not support the policy routing function, the traffic can be cleaned by using the security resource pool, and the policy routing function is realized by using the security resource pool;

3. the original physical security equipment of the client is deployed in a transparent mode, the original physical equipment needs to be replaced by the security resource pool, the security resource pool is deployed in a transparent mode, and policy routing drainage cannot be used.

The three requirements respectively correspond to a routing mode, a gateway mode and a transparent mode of the security resource pool, and the current drainage mode of the security resource pool can automatically adapt to network deployment modes of different customers.

Referring to fig. 5, fig. 6 and fig. 7, the customer service cloud is a local data center or a private cloud of the customer and carries a customer service system. The extranet is a network outside the customer service cloud, generally referred to as the Internet. WAN port and LAN port: for inbound traffic, the external network traffic enters the router from the WAN port and then enters the customer network through the LAN port; for situation traffic, intranet traffic enters the router from the LAN and then enters the external network through the WAN port.

When the secure resource pool is deployed in a routing mode, the physical router of the client supports the policy routing function, as shown in fig. 5, and the deployment mode of the policy routing is the same, the OVN module in the OVS switch is used as the default gateway of the secure resource pool and is responsible for interfacing with the core router of the client. The core router of the client directs the target traffic packets that need to pass through the secure resource pool to the default gateway of the secure resource pool (traffic packets go to the OVS switch first and then to the OVN module). OVN module carries out NAT conversion to the flow package, then forwards the flow to be cleaned to OVS exchanger, OVS exchanger analyzes the matching field in the target flow package, and matches with the flow table stored locally according to the matching field to determine the safety service chain corresponding to the target flow package, and carries out drainage according to the safety service chain to complete cleaning, then the flow package is forwarded back to the core router of the client through OVN module to complete one flow detection and/cleaning.

When the secure resource pool is deployed in gateway mode, as shown in fig. 6, the OVN module in the OVS switch replaces the core router of the client. The security resource pool and the customer service cloud can be in the same two-layer network or different two-layer networks, and the OVN module needs to realize the policy routing function. If the security resource pool and the customer service cloud are on the same two-layer network, the inbound traffic from the security resource pool to the customer service cloud or the outbound traffic from the customer service cloud to the security resource pool does not need to pass through the OVN module. If the OVN module is also the default gateway of the security resource pool in different two-layer networks, the gateway mode is degenerated to the routing mode, and the OVN module realizes the roles of the client core router and the default gateway of the security resource pool at the same time.

When the secure resource pool is deployed in a transparent mode, as shown in fig. 6, it is common that the original physical security device of the client is deployed in the transparent mode, and the physical security device is replaced by the secure resource pool, but the original network topology is not required to be changed, and at this time, the secure resource pool must be accessed in the transparent mode. The security component of the security resource pool and the customer service cloud are in the same two-layer network, a flow packet enters an OVS switch, the OVS switch analyzes a matching domain field in a target flow packet and matches the matching domain field with a locally stored flow table to determine a security service chain corresponding to the target flow packet, the flow is guided according to the security service chain to complete cleaning, and then the flow packet returns to the OVS switch to perform virtual two-layer forwarding so that the flow packet is forwarded through a WAN port or a LAN port.

Specifically, as shown in fig. 7, the OVS switch may include: OVN module, virtual two-layer exchange module, flow classification module, safety service chain drainage module, Proxy module, overlay tunnel.

OVN the functions of the module may include: ARP response and substitute response, ARP packet substitution, routing protocol operation, three-layer forwarding and NAT conversion. The ARP reply refers to replying an ARP request to the MAC of the device itself, and the ARP reply refers to replying an ARP request to the MAC of the security component instead of the security component. The ARP packet generation means that in a gateway mode, after a data packet is detected and filtered by a security service chain, the data packet arrives at a OVN module, the data packet can be forwarded only if a next hop MAC address exists, at this time, the OVN module caches the data packet, constructs an ARP request to inquire the next hop MAC address, sends the ARP request out, and modifies a destination MAC address and a source MAC address of an original data packet to forward the data packet when an ARP reply is received. Running the routing protocol means running a static/dynamic routing protocol, and exchanging routing information with other routers to form a self routing forwarding table. Three-layer forwarding refers to forwarding data packets according to a routing table. NATs include SNAT and DNAT functions.

The virtual two-layer switch module functionality may include the following: MAC address learning, two-layer forwarding, and encapsulation/decapsulation of LAN packet headers. MAC address learning refers to establishing a two-layer forwarding table through the corresponding relation between the source MAC address of a data packet and a port of a switch. The second-layer forwarding refers to inquiring a second-layer forwarding table according to the destination MAC, and forwarding the data packet from the correct switch port. The encapsulation/decapsulation of the VLAN header means: before the data packet is delivered to OVN module, stripping VLAN header; when the data packet passes through the security service chain and arrives at the module again, the VLAN packet header is added to the data packet.

The flow classification module is used for classifying the flow through flexible matching domain combination and different service quality requirements and marking NSH labels. The safety service chain flow guiding means that the flow is forwarded according to a forwarding strategy related to a service chain and an NSH label of a data packet, so that the flow sequentially passes through a predefined physical/virtual safety function component in sequence. The Proxy module removes the NSH label of the data packet and sends the NSH label to the safety function component, and when the data packet returns from the safety function component, the flow classification is carried out again or the NSH label is added again through the Proxy module. The Overlay tunnel refers to that when the security function component is on different physical hosts, OVSs of different physical hosts can transmit data packets through the Overlay tunnel function, where the tunnel is mainly used to isolate traffic of different tenants in the security resource pool, and the Overlay tunnel technology includes VXLAN, GRE, STT, gene, and the like.

Specifically, the SDN controller includes: northbound API, ARP, NAT, SFC, route calculation, topology, VLAN, network information acquisition, configuration, flow table construction and transmission. The northbound API is typically a restul API for invocation by the user interface or remote management layer. ARP refers primarily to ARP table maintenance, which assists OVN in achieving ARP-related functions. NAT is used to assist OVN in achieving SNAT and DNAT functions. Route calculation is used to implement generic and custom routing algorithms including shortest paths. The topology module is used for storing the whole network or local topology information. The VLAN is used for assisting the OVS two-layer virtual switching module to realize the related functions of the VLAN. And the network information acquisition is used for collecting state information of the bottom-layer OVS and the safety function component. The configuration and flow table construction module can automatically generate configuration and flow tables based on the parameters and configuration/flow table templates. The configuration and flow table issuing module selects a corresponding adapter, converts the configuration and flow table into a format which can be identified by the bottom layer equipment, and issues the configuration and flow table. The SFC includes service chain definition, path calculation, rule conflict detection, and functions of invoking topology, network information acquisition, flow table construction and distribution, etc., and also needs to support dynamic addition, deletion and modification functions of a service chain caused by migration of a security function component and other reasons.

In the foregoing embodiment, a method for implementing a security resource pool based on an SDN network in the embodiment of the present invention is described, and referring to fig. 8, a security resource pool system based on an SDN network in the embodiment of the present invention is described below, where an embodiment of a security resource pool system based on an SDN network in the embodiment of the present invention may include:

SDN controller 70, and asecure resource pool 80, wherein,

thesecure resource pool 80 comprises anOVS switch 800 and at least onesecure function component 900;

theOVS switch 800 includes a two-layer switching module 801, aflow classification module 802, acommunication module 803, and a forwarding module 804;

the two-layer switching module 801 is configured to receive a target traffic packet;

theflow classification module 802 is configured to analyze matching domain fields in the target flow packet, and perform matching according to the matching domain fields and a flow table stored locally to determine a security service chain corresponding to the target flow packet, where the target flow packet includes at least two matching domain fields, the flow table indicates a correspondence between matching domain fields of a preset type and the security service chain, and the security service chain indicates that the corresponding flow packets pass through a preset number of security function components in a security resource pool in a predetermined order;

if the matching field of the target traffic packet is not successfully matched with the locally stored flow table, thecommunication module 803 is configured to request theSDN controller 70 for a security service chain corresponding to the matching field of the target traffic packet;

the forwarding module 804 is configured to perform safe drainage on the target traffic packet according to a safety service chain, so as to complete cleaning of the target traffic packet.

Optionally, as a possible implementation manner, the matching field includes but is not limited to: switch ingress port, source MAC address, destination MAC address, ethernet type, ethernet tag, virtual local area network VLAN priority, source IP, destination IP, IP protocol field, IP service type, TCP/UDP source port number, TCP/UDP destination port number.

Optionally, as a possible implementation manner, theflow classification module 802 includes an analysis unit and a tag unit, where the analysis unit is configured to analyze a matching field in the target flow packet, and perform matching with a locally stored flow table according to the matching field to determine a security service chain corresponding to the target flow packet;

the forwarding module 804 is configured to direct the target traffic packet to a next node according to the service link path ID in the NSH label and the node location where the target traffic packet is currently located, so as to implement safe directing of the target traffic packet.

Optionally, as a possible implementation manner, theOVS switch 800 further includes a proxy module, and when the target security function component in the security resource pool cannot identify the NSH label, the proxy module processes the NSH label through a proxy function, where the proxy function includes: the NSH label is removed before the security service chain passes through the target security function component, and the NSH label is re-applied to the security service chain when the security service chain passes from the target security function component back to the OVS switch.

Optionally, as a possible implementation manner, theOVS switch 800 further includes an OVN module, and when a core gateway with a policy routing function is provided in a user-side network, the OVN module is configured to receive a target traffic packet from the core gateway, and perform network address NAT translation on an IP address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the OVS switch;

Optionally, as a possible implementation manner, the matching field further includes a tenant ID, and when multiple tenants use the same IP address, the parsing unit performs matching according to a flow table stored locally to determine a security service chain of a tenant traffic packet using the same IP address.

Optionally, as a possible implementation manner, when thesecurity function component 900 in thesecurity resource pool 80 is located in different physical hosts, theOVS switch 800 transmits the traffic packet through an overlay tunnel, where the overlay tunnel is used to isolate the traffic packets of different tenants in the security resource pool, and the overlay tunneling technology herein includes VXLAN, GRE, STT, gene, and the like.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. An implementation method for a security resource pool based on an SDN network, wherein the SDN network comprises an SDN controller and an SDN switch, the implementation method comprising:

the SDN switch receives a target traffic packet and analyzes matching domain fields in the target traffic packet, wherein the target traffic packet comprises at least two matching domain fields;

the SDN switch is matched with a locally stored flow table according to the matching domain field so as to determine a security service chain corresponding to the target flow packet in a plurality of defined security service chains, the flow table is generated by the SDN controller and sent to the corresponding SDN switch, the flow table indicates the corresponding relation between the matching domain field of a preset type and the security service chain, and the security service chain indicates that the corresponding flow packet passes through a preset number of security function components in a security resource pool according to a preset sequence;

and the SDN switch conducts safety drainage on the target flow packet according to a safety service chain corresponding to the target flow packet so as to complete cleaning of the target flow packet.

2. The method of claim 1,

the match field fields include, but are not limited to: switch ingress port, source MAC address, destination MAC address, ethernet type, ethernet tag, virtual local area network VLAN priority, source IP, destination IP, IP protocol field, IP service type, TCP/UDP source port number, TCP/UDP destination port number.

3. The method of claim 2, wherein the SDN switch securely drains the target traffic packet according to a security service chain, comprising:

the SDN switch packages a service chain path ID corresponding to a security service chain, the serial number of each security function component on the service chain path and service chain metadata to the head of the target traffic packet to form an NSH label;

and the SDN switch drains the target traffic packet to a next node according to the service chain path ID in the NSH label and the current node position of the target traffic packet.

4. The method of claim 3,

when a target security function component in the security resource pool cannot identify the NSH label, the SDN switch processes the NSH label through a proxy function, wherein the proxy function comprises: removing the NSH label before the security service chain passes through the target security function component, and re-attaching the NSH label to the security service chain when the security service chain returns from the target security function component to the SDN switch.

5. The method of claim 3, wherein before the SDN switch receives a target traffic packet and parses a matching domain field in the target traffic packet, further comprising:

when a core gateway with a policy routing function is arranged on a user side network, receiving a target traffic packet from the core gateway by the SDN switch, and performing network address NAT (network Address translation) on an IP address in the target traffic packet so that the IP address in the target traffic packet can be identified by the SDN switch;

when a core gateway is not arranged on a user side and the security resource pool and a user side network are not in the same layer network, the SDN switch receives a target traffic packet from the core gateway and performs NAT conversion on an IP address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the SDN switch.

6. The method of claim 5,

the matching domain field further comprises a tenant ID, and when a plurality of tenants use the same IP address, the SDN switch performs matching according to a locally stored flow table to determine a security service chain of a tenant flow packet using the same IP address.

7. The method according to any one of claims 1 to 6,

when the security function components in the security resource pool are located in different physical hosts, the SDN switch transmits traffic packets through an overlay tunnel, and the overlay tunnel is used for isolating the traffic packets of different tenants in the security resource pool.

8. A secure resource pool system based on an SDN network, comprising:

an SDN controller and a secure resource pool, wherein,

the security resource pool comprises an SDN switch and at least one security function component;

the SDN switch comprises a two-layer switching module, a flow classification module, a communication module and a forwarding module;

the two-layer switching module is used for receiving a target flow packet;

the flow classification module is used for analyzing matching domain fields in the target flow packet and matching the matching domain fields with a flow table stored locally according to the matching domain fields so as to determine a security service chain corresponding to the target flow packet in a plurality of defined security service chains, wherein the target flow packet comprises at least two matching domain fields, the flow table indicates the corresponding relation between the matching domain fields of preset types and the security service chain, and the security service chain indicates that the corresponding flow packets pass through a preset number of security function components in a security resource pool according to a preset sequence;

and the forwarding module is used for carrying out safe drainage on the target flow packet according to a safety service chain corresponding to the target flow packet so as to complete the cleaning of the target flow packet.

9. The system of claim 8,

10. The system of claim 9,

the flow classification module comprises an analysis unit and a label unit, wherein the analysis unit is used for analyzing a matching domain field in the target flow packet and matching the matching domain field with a locally stored flow table according to the matching domain field so as to determine a safety service chain corresponding to the target flow packet;

and the forwarding module is used for guiding the target traffic packet to the next node according to the service chain path ID in the NSH label and the current node position of the target traffic packet so as to realize the safe guiding of the target traffic packet.

11. The system of claim 10, wherein the SDN switch further comprises a proxy module that processes the NSH label through a proxy function when a target security function component in the security resource pool is unable to identify the NSH label, the proxy function comprising: removing the NSH label before the security service chain passes through the target security function component, and re-attaching the NSH label to the security service chain when the security service chain returns from the target security function component to the SDN switch.

12. The system of claim 10, wherein the SDN switch further comprises an OVN module, and when a user-side network is provided with a core gateway having a policy routing function, the OVN module is configured to receive a target traffic packet from the core gateway and perform NAT (network address translation) on an IP address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the SDN switch;

when a core gateway is not arranged on a user side and the security resource pool and a user side network are not in the same layer network, the OVN module is configured to receive a target traffic packet from the core gateway and perform NAT conversion on an IP address in the target traffic packet, so that the IP address in the target traffic packet can be identified by the SDN switch.

13. The system of claim 11,

the matching field also comprises a tenant ID, and when a plurality of tenants use the same IP address, the analysis unit performs matching according to a locally stored flow table to determine a security service chain of a tenant flow packet using the same IP address.

14. The system according to any one of claims 8 to 13, wherein when the security function components in the security resource pool are located in different physical hosts, the SDN switch performs transmission of traffic packets through an overlay tunnel, and the overlay tunnel is used for isolating traffic packets of different tenants in the security resource pool.